just another infosec blog

Magento vulnerability and notifying customers

Last week Check Point Software Technologies LTD (Check Point) disclosed a remote code execution vulnerability on the Magento e-commerce platform. This vulnerability is quite severe because it leads to a complete compromise of any stores based on this platform. From working on projects using Magento in the past I worry a bit. Not from the fact that Magento is vulnerable – No. I worry about the routines of notifying the customers who ordered products based on this platform. Usually in security the flow goes somewhat like this: Hacker instance notifies the vendor, vendor issues fix and security bulletins to product makers. Product makers informs their customers or just applies the fix. But – we’re talking about product makers being in a product loop or having a support deal with their customers. What about those customers that isn’t currently in a product or support loop?

From experience when such things happen, customers who’s not in the current development or support loop is kept on their own. Every project has their lifespan from start to finish. We build the products and support it in a given time frame. But what happen when the support contract ends? The product lives on – with a huge gash revealing any vital organ. Everyone can see it, nobody recognizes the dangers since very few are doctors. Sadly the caretakers aren’t notified because there’s no support deal. It’s all about the deals, isn’t it? I saw this back when I wrote about eZ Publish revealing password hashes through ezjscore. That post is one of the most popular pieces I’ve written.

Even though the support contract has come to an end I believe that any company that produce products is responsible to handle such incidents. It’s all about caring for the customer and potentially triggering the customer to come back in the future. Building good relations is vital both for the producing company and the IT industry in general. It’s better to reach out saying “you got a problem, we can fix it” instead of saying “you got a problem, contact us to set up a new support contract and then wait six months for repairs”.